The Canadian Program for Cyber Security Certification is now mandatory on select federal defence contracts. We get Canadian suppliers ready — from the 13-control Level 1 self-assessment to full Level 2 and Level 3 readiness. Led by a published CVE researcher, run from Toronto.
Book a CPCSC scoping callThe CPCSC is Public Services and Procurement Canada's new mandatory cyber security certification for the defence supply chain — Canada's counterpart to the U.S. CMMC. Level 1 became available to suppliers on April 1, 2026, and starts appearing in select contracts this summer. If your certification is not in place when a solicitation closes, you are out of the running. Requirements also flow down to subcontractors who touch the protected information.
CPCSC controls come from ITSP.10.171, the Canadian Centre for Cyber Security's profile of NIST SP 800-171. The Level 1 subset is mapped against CAN/DGSI 104 so the work you do also counts toward broader Canadian baseline controls.
The sensitivity of the information in a given solicitation decides whether you need Level 1, 2, or 3. You do not choose your level — the contract does. We map your pipeline so you certify to the right level before, not after, the bid lands.
Level 1 is a self-assessment you re-attest every year through the Canada Buys procurement platform. Levels 2 and 3 add an annual affirmation on top of the formal assessment. We build the evidence and cadence so renewal is routine, not a fire drill.
We support readiness for all three CPCSC levels. Here is how they differ.
Annual self-assessment, self-attested. 71 assessment objectives drawn from 6 of the 17 ITSP.10.171 control families:
External assessment led by a certification body accredited by the Standards Council of Canada, plus an annual affirmation. Required when a contract involves controlled or more sensitive defence information.
Assessment conducted by National Defence, plus an annual affirmation. Reserved for the highest-risk work — weapon systems, critical infrastructure, and information shared with Five Eyes partners.
Requirement counts reflect the program as published by PSPC and the Standards Council of Canada for 2026 and are confirmed against your specific solicitation during scoping.
A typical Level 1 engagement runs 2 to 5 weeks depending on how much foundation already exists. Below is what you walk away with.
CPCSC is new, but the underlying work — access control, authentication, evidence discipline — is the AppSec and compliance work we have done for years.
We are based in Toronto and work to the Canadian standards CPCSC is built on — ITSP.10.171 and CAN/DGSI 104 — not a U.S. CMMC playbook bolted onto a Canadian form. We know which control maps to which assessment objective on the Canada Buys attestation.
Our founder is a published security researcher with multiple CVEs, and we have taken startups from zero to a passed SOC 2 Type II audit. The discipline that survives an external auditor is the same discipline that survives a CPCSC certification body.
We are a readiness and advisory partner, not a certification body. We close gaps, build evidence, run a mock assessment, and complete your Level 1 self-assessment with you — then hand you to an accredited assessor for Level 2 with nothing left to fix.
Three phases. Fixed scope, no surprises on the invoice.
We confirm which level your contracts require, define the boundary of the systems in scope, and assess your current state against every applicable ITSP.10.171 control and assessment objective. You get a clear gap list ranked by effort and risk.
We help your team close the gaps and produce the evidence each control needs — policies, configurations, access reviews, and a system security plan. For Levels 2 and 3 we build the POA&M and prep you for the external assessor.
For Level 1 we complete and file the self-assessment with you on Canada Buys. For higher levels we run a mock assessment before the real one. Then we set the annual renewal cadence so you stay certified without scrambling.
Tell us which contracts you are chasing. We will tell you the level you need and scope the readiness work in one call.
Book a CallThe Canadian Program for Cyber Security Certification (CPCSC) is a mandatory cyber security certification program for contractors and subcontractors bidding on select Government of Canada defence contracts. It is led by Public Services and Procurement Canada (PSPC), with certification bodies accredited by the Standards Council of Canada and the highest-level assessments conducted by National Defence. It is Canada's counterpart to the U.S. CMMC and is built on the ITSP.10.171 control set, Canada's profile of NIST SP 800-171.
Level 1 requires an annual self-assessment against 13 security requirements and is self-attested. Level 2 requires an external assessment led by an accredited certification body plus an annual affirmation, against roughly 98 requirements. Level 3 requires assessments conducted by National Defence plus an annual affirmation, against roughly 200 requirements. The level required is set by the sensitivity of the information in a given contract.
Level 1 asks suppliers to confirm the implementation status of 13 security requirements drawn from 6 of the 17 ITSP.10.171 control families, totalling 71 assessment objectives. The families cover access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. The self-assessment is completed annually and attested through the Canada Buys procurement platform.
Level 1 became available to suppliers on April 1, 2026, and Level 1 requirements begin appearing in select defence contracts in summer 2026. The Government of Canada is rolling requirements out in phases so suppliers have time to prepare. Higher levels and a wider set of contracts follow as the program matures.
Often yes. Certification requirements flow down the supply chain. If you handle the protected information covered by a contract, you can be required to hold the same level as the prime, even if you never contract directly with the government. We help map which of your contracts and data flows will trigger a requirement and at what level.
No, and you should be cautious of anyone who claims they can. Level 2 certifications are issued only by certification bodies accredited by the Standards Council of Canada, and Level 3 is assessed by National Defence. We are a readiness and advisory partner: we close your control gaps, build the evidence, run a mock assessment, and complete your Level 1 self-assessment with you so that when you reach an accredited assessor there are no surprises.